# DATA PROCESSING AGREEMENT entered into on _____________ between: [COMPANY / CLINIC NAME], with registered office in _____________, Tax ID: _____________, represented by _____________ (hereinafter: "Controller") and Michal Lebida, operating under the name Flowright, Tax ID: 6793280285, Krakow, Poland (hereinafter: "Processor") hereinafter referred to as the "DPA" ## Section 1. Subject matter 1.1. Pursuant to Article 28 GDPR, the Controller entrusts the Processor with the processing of personal data within the scope and purpose specified in this Agreement. 1.2. Processing shall take place solely for the purpose of performing the Service Agreement (configuration and maintenance of the AI System). ## Section 2. Scope of processing 2.1. Categories of data subjects: patients/clients of the Controller 2.2. Types of data: - first and last name - phone number - email address - preferred appointment date - reason for visit (NOTE: may constitute health data within the meaning of Article 9 GDPR) 2.3. Nature and purpose: handling inquiries, booking appointments, sending reminders 2.4. Duration of processing: for the duration of the Service Agreement ## Section 3. Obligations of the Processor The Processor undertakes to: a) process data only on documented instructions from the Controller; b) ensure that persons authorized to process personal data have committed to confidentiality; c) implement technical and organizational measures pursuant to Article 32 GDPR, in particular: - encryption of data in transit (TLS) and at rest - role-based access control - pseudonymization where possible - regular security testing; d) comply with the conditions for sub-processing (Section 4); e) assist the Controller in fulfilling data subject rights (Articles 15-22 GDPR); f) assist with DPIAs and consultations with the supervisory authority (Articles 35-36 GDPR); g) upon termination of the Agreement: delete or return data within 30 days, at the Controller's request; h) make available all information necessary to demonstrate compliance and allow for audits. ## Section 4. Sub-processors 4.1. The Controller grants general authorization for the use of sub-processors. 4.2. Current list of sub-processors: - Chatbase Inc., USA — chatbot platform (DPF + SCC, DPA: chatbase.co/dpa) - OpenAI Ireland Ltd., Ireland — AI model (DPF + SCC, DPA: openai.com/policies/data-processing-addendum) - Anthropic (USA) - AI models (DPF + SCC) - Vercel Inc. (USA) - hosting (DPF + SCC) - Calendly LLC (USA) - appointment scheduling (DPF + SCC) - CookieYes Ltd. (UK) - cookie consent management 4.3. The Processor shall inform the Controller of any changes with 14 days' prior notice. The Controller may raise an objection within 14 days. ## Section 5. Transfer of data outside the EU/EEA 5.1. Data may be transferred to the USA on the basis of: a) EU-US Data Privacy Framework (adequacy decision of 10.07.2023); b) Standard Contractual Clauses (SCC) as a supplementary mechanism. 5.2. The Processor has conducted a Transfer Impact Assessment (TIA) and implemented supplementary measures: data minimization before sending to the API, encryption, pseudonymization. ## Section 6. Personal data breach 6.1. The Processor shall notify the Controller of any personal data breach no later than 48 hours after becoming aware of it. 6.2. The notification shall include: a description of the breach, categories of data affected, approximate number of individuals, likely consequences, and remedial measures taken. ## Section 7. Final provisions 7.1. This DPA shall remain in force for the duration of the Service Agreement. 7.2. Matters not regulated herein shall be governed by the GDPR and Polish law. 7.3. This Agreement has been drawn up in two identical copies. Controller: Processor: _________________________ _________________________ (signature, stamp) (signature)